Sandbox updates #552
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
workflow_dispatch: | |
inputs: | |
ENVIRONMENT_NAME: | |
description: 'Environment Name' | |
required: true | |
default: Stokenet | |
type: choice | |
options: | |
- Stokenet | |
push: | |
branches: | |
- develop | |
- release/* | |
pull_request: | |
branches: | |
- develop | |
- release/** | |
release: | |
types: [published] | |
jobs: | |
snyk-scan-deps-licences: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'radix-dapp-toolkit' | |
step_name: 'snyk-scan-deps-licenses' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Run Snyk to check for deps vulnerabilities | |
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=critical | |
snyk-scan-code: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'radix-dapp-toolkit' | |
step_name: 'snyk-scan-code' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Run Snyk to check for code vulnerabilities | |
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --severity-threshold=high | |
command: code test | |
snyk-sbom: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
needs: | |
- snyk-scan-deps-licences | |
- snyk-scan-code | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'radix-dapp-toolkit' | |
step_name: 'snyk-sbom' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Generate SBOM # check SBOM can be generated but nothing is done with it | |
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json | |
command: sbom | |
build: | |
runs-on: ubuntu-latest | |
needs: | |
- snyk-scan-deps-licences | |
- snyk-scan-code | |
outputs: | |
tag: ${{ steps.setup_tags.outputs.tag }} | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c | |
- name: Setup tags for docker image | |
id: setup_tags | |
run: echo "tag=sha-$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
- name: Use Node.js | |
uses: actions/setup-node@7c29869aec4da703a571b27bcd84d4f15af0b56e | |
with: | |
node-version: '18.x' | |
- name: Authenticate with private NPM package | |
run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPMJS_TOKEN }}" > ~/.npmrc | |
- name: Install dependencies | |
run: npm ci | |
- name: Run tests | |
run: npm run test | |
- name: Build | |
run: npm run build | |
- name: Dump context | |
uses: crazy-max/ghaction-dump-context@v2 | |
push-docker-image: | |
name: (PRIVATE) Docker AMD | |
needs: | |
- build | |
uses: radixdlt/public-iac-resuable-artifacts/.github/workflows/docker-build.yml@main | |
with: | |
runs_on: ubuntu-latest | |
image_registry: "docker.io" | |
image_organization: "radixdlt" | |
image_name: "private-radix-dapp-toolkit" | |
tag: ${{ needs.build.outputs.tag }} | |
tags: | | |
type=semver,pattern={{version}} | |
context: "./" | |
dockerfile: "./Dockerfile" | |
platforms: "linux/amd64" | |
scan_image: true | |
snyk_target_ref: ${{ github.ref_name }} | |
snyk-monitor: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
needs: | |
- push-docker-image | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'radix-dapp-toolkit' | |
step_name: 'snyk-monitor' | |
secret_prefix: 'SNYK' | |
secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
- name: Enable Snyk online monitoring to check for vulnerabilities | |
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 | |
with: | |
args: --all-projects --org=${{ env.SNYK_PROJECTS_ORG_ID }} --target-reference=${{ github.ref_name }} | |
command: monitor | |
snyk-container-monitor: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/develop') | |
needs: | |
- push-docker-image | |
permissions: | |
id-token: write | |
pull-requests: read | |
contents: read | |
deployments: write | |
steps: | |
- uses: radixdlt/public-iac-resuable-artifacts/snyk-container-monitor@main | |
with: | |
role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} | |
app_name: 'radix-dapp-toolkit' | |
step_name: 'snyk-container-monitor' | |
dockerhub_secret_name: ${{ secrets.AWS_SECRET_NAME_DOCKERHUB }} | |
snyk_secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} | |
parse_json: true | |
snyk_org_id: ${{ secrets.SNYK_ORG_ID }} | |
image: docker.io/radixdlt/private-radix-dapp-toolkit:${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
target_ref: ${{ github.ref_name }} | |
deploy-pr: | |
if: ${{ github.event_name == 'pull_request' }} | |
runs-on: ubuntu-latest | |
needs: | |
- push-docker-image | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
with: | |
version: 2 | |
- name: Setup helmfile and helm | |
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
with: | |
helm-diff-plugin-version: 'v3.1.3' | |
helmfile-version: 'v0.144.0' | |
helm-version: 'v3.11.0' | |
install-kubectl: no | |
- name: Install kubectl | |
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
with: | |
version: 'v1.25.6' | |
- name: Configure AWS credentials for deployment | |
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
with: | |
role-to-assume: ${{ secrets.DEPLOY_PR_IAM_ROLE }} | |
aws-region: eu-west-2 | |
- name: Deploy application | |
working-directory: deploy/helm | |
run: | | |
cat <<DOC > namespace.yaml | |
apiVersion: hnc.x-k8s.io/v1alpha2 | |
kind: SubnamespaceAnchor | |
metadata: | |
name: radix-dapp-toolkit-pr-${{ github.event.number }} | |
namespace: radix-dapp-toolkit-ci-pr | |
DOC | |
aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \ | |
--alias ${{ secrets.CLUSTER_NAME }} \ | |
--region eu-west-2 | |
kubectl apply -f namespace.yaml | |
helmfile --environment pr --namespace radix-dapp-toolkit-pr-${{ github.event.number }} \ | |
--state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \ | |
apply | |
env: | |
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
INGRESS_DOMAIN: radix-dapp-toolkit-pr-${{ github.event.number}}.${{ secrets.INGRESS_DOMAIN }} | |
HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} | |
deploy-dev: | |
if: github.ref == 'refs/heads/develop' && github.event_name == 'push' | |
runs-on: ubuntu-latest | |
needs: | |
- push-docker-image | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
with: | |
version: 2 | |
- name: Setup helmfile and helm | |
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
with: | |
helm-diff-plugin-version: 'v3.1.3' | |
helmfile-version: 'v0.144.0' | |
helm-version: 'v3.11.0' | |
install-kubectl: no | |
- name: Install kubectl | |
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
with: | |
version: 'v1.25.6' | |
- name: Configure AWS credentials for deployment | |
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
with: | |
role-to-assume: ${{ secrets.DEPLOY_DEV_IAM_ROLE }} | |
aws-region: eu-west-2 | |
- name: Deploy application | |
working-directory: deploy/helm | |
run: | | |
aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \ | |
--alias ${{ secrets.CLUSTER_NAME }} \ | |
--region eu-west-2 | |
helmfile --environment dev --namespace radix-dapp-toolkit-dev \ | |
--state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \ | |
apply | |
env: | |
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
INGRESS_DOMAIN: radix-dapp-toolkit-dev.${{ secrets.INGRESS_DOMAIN }} | |
HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} | |
deploy-release: | |
if: startsWith(github.ref_name,'release/') | |
runs-on: ubuntu-latest | |
needs: | |
- push-docker-image | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
with: | |
version: 2 | |
- name: Setup helmfile and helm | |
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
with: | |
helm-diff-plugin-version: 'v3.1.3' | |
helmfile-version: 'v0.144.0' | |
helm-version: 'v3.11.0' | |
install-kubectl: no | |
- name: Install kubectl | |
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
with: | |
version: 'v1.25.6' | |
- name: Configure AWS credentials for deployment | |
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
with: | |
role-to-assume: ${{ secrets.DEPLOY_RELEASES_IAM_ROLE }} | |
aws-region: eu-west-2 | |
- name: Deploy application | |
working-directory: deploy/helm | |
run: | | |
aws eks update-kubeconfig --name ${{ secrets.CLUSTER_NAME }} \ | |
--alias ${{ secrets.CLUSTER_NAME }} \ | |
--region eu-west-2 | |
BRANCH_NAME=${{ github.ref_name }} | |
NORMALIZED_BRANCH_NAME=${BRANCH_NAME/\//-} | |
cat <<DOC > subns-manifest.yaml | |
apiVersion: hnc.x-k8s.io/v1alpha2 | |
kind: SubnamespaceAnchor | |
metadata: | |
name: radix-dapp-toolkit-$NORMALIZED_BRANCH_NAME | |
namespace: radix-dapp-toolkit-ci-releases | |
DOC | |
kubectl apply -f subns-manifest.yaml | |
helmfile --environment dev --namespace radix-dapp-toolkit-$NORMALIZED_BRANCH_NAME \ | |
--state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
--state-values-set "ci.ingressDomain=radix-dapp-toolkit-${NORMALIZED_BRANCH_NAME}.${{ env.INGRESS_DOMAIN }}" \ | |
apply | |
env: | |
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
INGRESS_DOMAIN: ${{ secrets.INGRESS_DOMAIN }} | |
HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} | |
deploy-stokenet: | |
if: ( github.event.inputs.ENVIRONMENT_NAME == 'Stokenet' && github.event_name == 'workflow_dispatch' ) | |
runs-on: ubuntu-latest | |
environment: stokenet | |
needs: | |
- push-docker-image | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
with: | |
version: 2 | |
- name: Setup helmfile and helm | |
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
with: | |
helm-diff-plugin-version: 'v3.1.3' | |
helmfile-version: 'v0.144.0' | |
helm-version: 'v3.11.0' | |
install-kubectl: no | |
- name: Install kubectl | |
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
with: | |
version: 'v1.25.6' | |
- name: Configure AWS credentials for deployment | |
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
with: | |
role-to-assume: ${{ secrets.DEPLOY_STOKENET_IAM_ROLE }} | |
aws-region: eu-west-2 | |
- name: Deploy application | |
working-directory: deploy/helm | |
run: | | |
aws eks update-kubeconfig --name ${{ secrets.STOKENET_CLUSTER_NAME }} \ | |
--alias ${{ secrets.STOKENET_CLUSTER_NAME }} \ | |
--region eu-west-2 | |
helmfile --environment stokenet --namespace radix-dapp-toolkit-stokenet \ | |
--state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \ | |
apply | |
env: | |
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
INGRESS_DOMAIN: ${{ secrets.STOKENET_INGRESS_DOMAIN }} | |
HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} | |
deploy-mainnet: | |
if: github.event_name == 'release' && !github.event.release.prerelease | |
runs-on: ubuntu-latest | |
needs: | |
- push-docker-image | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: read | |
steps: | |
- uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b | |
- uses: unfor19/install-aws-cli-action@457b7980b125044247e455d87b9a26fc2299b787 | |
with: | |
version: 2 | |
- name: Setup helmfile and helm | |
uses: mamezou-tech/setup-helmfile@55ae2a66c5af4883148b7a50cc6ddc9b61042184 | |
with: | |
helm-diff-plugin-version: 'v3.1.3' | |
helmfile-version: 'v0.144.0' | |
helm-version: 'v3.11.0' | |
install-kubectl: no | |
- name: Install kubectl | |
uses: azure/setup-kubectl@901a10e89ea615cf61f57ac05cecdf23e7de06d8 #v3.2 | |
with: | |
version: 'v1.25.6' | |
- name: Configure AWS credentials for deployment | |
uses: aws-actions/configure-aws-credentials@bab55d3830fe69833c9fecaa51fe2c829a7508f3 | |
with: | |
role-to-assume: ${{ secrets.DEPLOY_MAINNET_IAM_ROLE }} | |
aws-region: eu-west-2 | |
- name: Deploy application | |
working-directory: deploy/helm | |
run: | | |
aws eks update-kubeconfig --name ${{ secrets.MAINNET_CLUSTER_NAME }} \ | |
--alias ${{ secrets.MAINNET_CLUSTER_NAME }} \ | |
--region eu-west-2 | |
helmfile --environment mainnet --namespace radix-dapp-toolkit-mainnet \ | |
--state-values-set "ci.tag=${{ env.CI_TAG }}" \ | |
--state-values-set "ci.ingressDomain=${{ env.INGRESS_DOMAIN }}" \ | |
apply | |
env: | |
CI_TAG: ${{ fromJSON(needs.push-docker-image.outputs.json).labels['org.opencontainers.image.version'] }} | |
INGRESS_DOMAIN: ${{ secrets.MAINNET_INGRESS_DOMAIN }} | |
HELM_GH_USER: ${{ secrets.HELM_GH_USER }} | |
HELM_GH_PASS: ${{ secrets.HELM_GH_PASS }} |